If your security network isn’t well secured, what is the risk? In the last installment we went through what an attack on a security network could look like. In this installment we’ll look at the very real question of how the security network could become a vector in an attack on the corporate network. An attack on the security network could lead to some degree of failure in the security system, but the implications of an attack on the corporate network can be far more troubling.
“Network Security” is not the binary designation that we wish it could be. No network is completely secure and our efforts in securing a network move us along a network security continuum. Each step towards becoming more secure is based on good planning and design. We examine all the factors that contribute to better security and address them in a structured manner. Leaving one “soft surface” in the security design pushes us back towards a less secure position on the network security continuum.
An unsecured network is a risk to itself, but it’s proximity to the corporate network is also a risk.
To understand how this happens we’ll look at the conditions necessary for a network intrusion to occur. Any network intrusion requires four distinct factors:
- Inside Knowledge
Each step that we take in securing a network has the goal of limiting each of these factors. Of course we cannot limit a hacker’s expertise, but a strong network security design will require the hacker to have a greater amount of expertise.
When two or more networks coexist in the same physical space there is a risk created by proximity. There are usually legitimate links between networks that are secured through firewalls. Typically in a security network, the director of security’s PC will be on the corporate network but will access the security network through a controlled route – the firewall. The danger is that over time there may be “workarounds” that are used to add connectivity to the security network, bridging networks in a less secure manner. If we allow the intruder unfettered access and time, the chance is much higher that they will either locate a less secure route or mount a successful attack on the firewalled connection to the corporate network.
There are several distinct factors that allow us to successfully “harden” a security or industrial network to reduce the likelihood that it will become an “attack surface”. When we look at how an intruder gains access to the network, we can see clearly three distinct vulnerabilities. First is the traditional breach through a public network. Protection of the gateway between the internet and a private network is well documented and understood. The protection is provided by security protocols (IPSEC), security hardware (firewall) and a series of policies and procedures. Maintaining this type of security requires a strong design and that the security team monitor the performance of their hardware, do firmware updates and watch for vendor notices of vulnerabilities in the security of the products.
The second attack surface is the “trusted PCs” that have legitimate access to the network. Each PC must be protected with automated security updates and virus protection, but the bigger risk is the behavior of the user. A user who engages in risky internet behavior, visiting sites that may be compromised, “surfing” links from site to site etc.. can inadvertently install malware on the PC that will allow control of the PC to an outsider. Similarly, using e-mail on a PC increases the possibility of a “phishing” or “spear-phishing” attack. This user receives an official looking e-mail which contains a link that they are encouraged to follow. Clicking on the link will expose the PC to malware that compromises the security of the PC and the networks it is attached to.
At Christmas 2015 a portion of the power grid in Ukraine was brought down through a spear-phishing attack that was disguised as a memo from the upper management of the utility. In this case there were trusted PCs in the network that were infected from the corporate network but that provided the intruders with access to the industrial network.1
The means of protecting a trusted PC is a combination of user training and restricting the activities and the software that can be run on the machine. These strategies will involve security policies that disable e-mail attachment macros, restrict software from running from specific directories on the PC and removing local administrator privileges.
The third attack surface on the unsecured security network is “layer 2 access”. Layer 2 access to the network is through access to the ports on a network switch. Typically the intruder is plugging into an unused port on a switch or installing a switch or access point on a port used for a camera or intercom. The security device would continue to function but allow the intruder to plug in their own equipment to the renegade device. The troubling aspect to this attack surface is that it does not require a high level of expertise to launch and will remain undetected unless the network has been properly configured. The risk of layer 2 intrusions is specifically an internal risk and, according to the 2015 Verizon Data Breach Report, was the vector used for 70% of the cases where data was stolen from a company.2
The protection of layer 2 on a network is not complicated. The most basic steps involve locking device MAC addresses to a specific port and turning off any unused ports. A more comprehensive design would include filtering the traffic on the device ports to allow ONLY the traffic that is required for that device and to produce notifications to the IT department whenever any forbidden traffic starts to show up on the network. This approach produces an alert that an intrusion is underway and limits the time that an intruder would have to move from the security network to the corporate network.
A strong network security design is an essential factor in preventing network intrusions and reducing the potential harm from a security breach. A professional network design addresses all potential attack surfaces and provides notification when “all is not right”. Consider the threat that an unsecured network creates to the surrounding networks and manage the risk.
If you’d like more information on Network Security we would be happy to hear from you. We can be reached at 905-990-4845 or [email protected] Fancom Communications Engineering is the first step in assessing, planning and implementing or changing your secure network structure before intrusions happen! Contact us today to discuss.
1 First known hacker-caused power outage signals troubling escalation by Dan Goodin; Arstechnica.com; Jan 4, 2016; 3:36pm EST
2 2015 Data Breach Investigations Report, Verizon Enterprises